ryuk | d60b2f5e3e76368744a64f8bad795a46dab2d688aef700a59454a21d1d373fd7

Analysis

max time kernel
186s
max time network
34s
platform
windows7_x64
resource
win7v20210408
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

towering-self.exe
Size

170KB
MD5

f3e6e7e502eca5920215b6b03d388cb7
SHA1

3f364a481ea56a248dd4493400c10362cf48a3ff
SHA256

d60b2f5e3e76368744a64f8bad795a46dab2d688aef700a59454a21d1d373fd7
SHA512

c6ea4ab5241577bd89343e7843df974024e2289473a032eb62aeaa653892b4904f42527336a3403eacaf64e941174b574b892ee8b8beb21266993d0afb8cb759

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConfirmOut.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\CopyUnregister.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmOut.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\CopyUnregister.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\towering-self.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234000.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187895.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBCN6.CHM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\GWE.ICO	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
69676	vssadmin.exe
70372	vssadmin.exe
70216	vssadmin.exe
69544	vssadmin.exe
69584	vssadmin.exe
69704	vssadmin.exe
70268	vssadmin.exe
70632	vssadmin.exe
4292	vssadmin.exe
18956	vssadmin.exe
69968	vssadmin.exe
69416	vssadmin.exe
69472	vssadmin.exe
69512	vssadmin.exe
70188	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

towering-self.exe

pid process

940 towering-self.exe

pid	process
940	towering-self.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

towering-self.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	940	towering-self.exe
Token: SeBackupPrivilege	69996	vssvc.exe
Token: SeRestorePrivilege	69996	vssvc.exe
Token: SeAuditPrivilege	69996	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1088 taskhost.exe
1168 Dwm.exe

pid	process
1088	taskhost.exe
1168	Dwm.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

towering-self.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 940 wrote to memory of 800	940	towering-self.exe	cmd.exe
PID 940 wrote to memory of 800	940	towering-self.exe	cmd.exe
PID 940 wrote to memory of 800	940	towering-self.exe	cmd.exe
PID 940 wrote to memory of 1088	940	towering-self.exe	taskhost.exe
PID 940 wrote to memory of 1168	940	towering-self.exe	Dwm.exe
PID 940 wrote to memory of 800	940	towering-self.exe	cmd.exe
PID 800 wrote to memory of 1652	800	cmd.exe	reg.exe
PID 800 wrote to memory of 1652	800	cmd.exe	reg.exe
PID 800 wrote to memory of 1652	800	cmd.exe	reg.exe
PID 1088 wrote to memory of 69932	1088	taskhost.exe	cmd.exe
PID 1088 wrote to memory of 69932	1088	taskhost.exe	cmd.exe
PID 1088 wrote to memory of 69932	1088	taskhost.exe	cmd.exe
PID 69932 wrote to memory of 69968	69932	cmd.exe	vssadmin.exe
PID 69932 wrote to memory of 69968	69932	cmd.exe	vssadmin.exe
PID 69932 wrote to memory of 69968	69932	cmd.exe	vssadmin.exe
PID 1168 wrote to memory of 69384	1168	Dwm.exe	cmd.exe
PID 1168 wrote to memory of 69384	1168	Dwm.exe	cmd.exe
PID 1168 wrote to memory of 69384	1168	Dwm.exe	cmd.exe
PID 69384 wrote to memory of 69416	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69416	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69416	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69472	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69472	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69472	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69512	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69512	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69512	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69544	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69544	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69544	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69584	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69584	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69584	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69676	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69676	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69676	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69704	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69704	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 69704	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70372	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70372	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70372	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70188	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70188	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70188	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70216	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70216	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70216	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70268	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70268	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70268	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70632	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70632	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 70632	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 4292	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 4292	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 4292	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 18956	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 18956	69384	cmd.exe	vssadmin.exe
PID 69384 wrote to memory of 18956	69384	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69384

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69416

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69472

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:69512

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69544

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69584

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69676

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69704

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70188

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70268

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70632

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4292

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:18956

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69932

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69968

C:\Users\Admin\AppData\Local\Temp\towering-self.exe
"C:\Users\Admin\AppData\Local\Temp\towering-self.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\towering-self.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\towering-self.exe" /f
3⤵
- Adds Run key to start application
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69996

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:69444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
54de18e34c72e9d63808be82bd67a032

SHA1
0104cf565873a8d87d8e435d46009724ab855736

SHA256
82d00bed5648d4df876fa3dae935a9f5efdd1a4edb1539c3ebcb090320dbc105

SHA512
9431da1efaaada2e50f608e256aa59c2b4fad033dd778db9a224ec341cb144cdf89bc323d3a84d232501b2e40f245ced349c03b4d791d9d221e6bc45eae08d35

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
25ed06504e87d83ec75c66de089d7f0e

SHA1
5fdcd0d9de99c76fd87e12ea7155327fd8634240

SHA256
eaa45bdfa11471a4a2c1d6d8c1fe1b03b476943273f5c554847ce6271815748c

SHA512
f400bcf873c0bdcc4eca90ced164b207bbd2462bc11293fd56728a40652e267dad0c3fd9a9e5104cfa3cfc8dfd5dafad8d14f3467ba8cc017252434d0d196bc7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
640eab78edede49ebb76b30480ad8183

SHA1
1506e0df922d088bafe84b3aabc7c813faec0310

SHA256
0666c21b51471c92391f4de6c53a3b645ed89a5a0fdc6d4168b587a055679b39

SHA512
eb2ea29865125e511945997fb9f61dbde0c33179237e37e15ca7f783a9a663e947491276041ee3e44b0f5d14a05fec0b86a15f884771e2dbf39204bed825e710

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
8cd5c3406ea408c9507c45551ec13456

SHA1
c6598b05556ebb427c412f1390ea68063b96356f

SHA256
4bfded44938d9b4ecb694eba01146c07fcd27e5b688e21cfd40cf2152396691d

SHA512
11cc58c4645b906c0b85be86e6590ec41766bb9cc02c0fbfc86a59753ea098fef56d9d0a1ec2a40330087781a85719c79a8f489a40a5e5d0c5a71a2049debde1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
d78a8833391b430fbc915dece03cf064

SHA1
b558d6449e50910997d6797338e91b3e38cebba1

SHA256
49c09a3de8c91a88e4a3ecccd9576499f2e09299c8e3187533edb57b6b85841d

SHA512
f3120c99ac9b7cd73afaff0d52af110501a4f8db74d89e39c4e168910cd43b7186658382bdeea2056cc41ed39265361d5c257d368966c6818f98a68a7891d253

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
62e72fd048d95ba846240dfe72a77fe0

SHA1
2319a8d14c27aa30063096039b425349b7b6d685

SHA256
d350feec9bf9bab65eae4b493cf86f50cad8f84ab3e0b6c4605fd0e10285d743

SHA512
1dab1c2e8bf61853d568890c5a9c1ed4a24725730aa74498f170fd6978cd404bf0ee03a0f10464d6daa0f1ee4525be7ab787436670c1e7b96ce3fab4066530bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
9729ea1a23119a0428acd698c69afee3

SHA1
b3408344795cbf4df41322e093751a7333db7bb4

SHA256
ef2ebee3f4eb6c389d32d708ecc6e7983c4560bf8930ef9f3a394eb1ef07f0c5

SHA512
7750c5c9f7e03e7a22ef8865467103eee4558f2f9798c27dd1a1d167dcae39cdc85426012a20563c345f2aa0c4cae2dd356cf5e1d22ed5c317b0a04dbf6038b5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
cb103cc8dc3ba1c1ed506e9b98a9c4dc

SHA1
371b68920bf1d6f4e6b64367905c8b52b1092333

SHA256
a1043868a20064060dc4c9c7185d3fccd9ac79b93f0bcc59df0b1293128f343f

SHA512
9dccafe91b42375bb76343cc3bbd9316c2fd1aaa51ece5757f37f7359d28288d3cc99e5a6c6fdd0ebcc03e0735d137b83147e5bb70dc0ef82282e27e22907196

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
29480bfcee0765fbafded9ba5270c2df

SHA1
ffe560c02fab5ce099ebc65431320d0a8911e04e

SHA256
dc312b351043418a8d1cafaf39a0dd9814b66a155eb0f331755203bb9b1a66ce

SHA512
734ae4af44e9484ff1c215a25f4e9bff12b61b68ca25400d780f22bc23611523285dc801aedbfbc87b4d23110a5d0701c284d58573db011b1f7cc63a5def8981

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
d1aa644ca365b359540e2872488a3f73

SHA1
55a68998f038ccb26236eaed08c8e16ecd6ebebb

SHA256
23903578a88328e8af33e39a8b56afb3d59992ae50d6e066acf392d02d249557

SHA512
05c7599e30cc0ab544edd57b390a27eb518a9af5bb71ee100a16340accb8f5a44bfc1fab8ae61d433030e2caea32a05414dca5ad0274ebb354dee1bdc5fa044a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
1e64d30ee8bc72a0c25094b61cce45ca

SHA1
1b332e8032d475439ff75071ed78ef35d7ab14ce

SHA256
46e755a6f0e317ccc2d435111053c793e58ba7196e7cbe854d06205f46c6163a

SHA512
f8405daf022179e26f661f689dea310dddac0fc2904b8e3bd9b4ed38a162f1df9854ddc83ca99fccb589be0590f55e857a75a1765101dab7ac77bbd7e61b8543

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
da5d3a201d063984c3d36fadcc2a5587

SHA1
77879fd19fccfe61b46e7765d7522e95c9078518

SHA256
9c4a764870435b173d152c062f150999c6235c3c5146e686362296d3ab1bc72c

SHA512
0110c4cf01dc25a205660d07c0d7a4d95115c0c6630e1f3eb923207d2a61c01a8f83d41071468d862aa358df334853ae3ec6fc8f3b39fc1fe6acc634a278fff4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
4073a426fedf9198219e38f127621d69

SHA1
3ffe8407fc6adbfad7403b6b9591634057838797

SHA256
1d08c07c354e0f0114c045e13cad41cafd992b523607b992aad483665631e5e7

SHA512
ae43c616156b59416e80b5f2d503a6acfaf3327d6fc8402e5d7914b539f42857400894c6fa7970f61a468a6edee4621ba9dd2328d3dfa3f0e36bd4fe86ffc953

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
bf999da0a853587d37cb348b85cb5dcd

SHA1
c06eb310f60ed5f4b1d30c45e0a4a9d7a476817a

SHA256
044f941ff81e369cc1756c381797b140a75ab0ce547ec0163408f89190d02a3a

SHA512
4cdc35889cb6da24317f9450f25991c7c8c5fe38f373f53daf60bd936c39ea1706ec99fdfdd7956a81d9052c0c15588f2f0102372fe8b560528e0d97c223b64e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
cf9f6b91a039d1cd87bc03357468049b

SHA1
832d4ffa1d109bee73483021e37bf3477eae701b

SHA256
2bda83e5f8b8700ae45c0f0477120ac0d30c0c18954a83b47a7c873cf9632adb

SHA512
a29d0c66531d3a776cbe3de7dc306e34ce02025b5edcfbff4f8c9702e05283731ae3203e375f17c18351fe4eb194254809a37e5bd6f05edb1cd35c60e2466676

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
5a4276d153b0f2ac4cc2c9fc924990e8

SHA1
28482f0859f593b1b7dee466ee1c8625ab28b4f0

SHA256
ff3065e50e9ee00a0d851da8e5a989a9e67464e95ce45070dee233e558407e99

SHA512
ca4fa002c3794fb5d44b545c131f3180ed960188099d4e8fd177c5e62005b791e329a891235aeda659261d74ef766f333065a98029a066f49f653a670c73fd72

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
b0ceb008206b66302a445f454055d049

SHA1
f543de84dfea7652a320d2557ec74e271c8519bb

SHA256
6c739279d789f761c51c9f884168f06862551d1823a637835795e8ae58a34817

SHA512
b84bcc038bca97d0197a8814e6226758746baf9eeb07de2f46b659a94e8f3e9e28b19045de2c7767ff85a9eb87893aa97d7ae482f43ca4615d09e599f49aef00

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
2a7efa3416dae985fd0d5113bcfbba94

SHA1
b7f11c067eeccaa3ba4b0db4fd74722b685df213

SHA256
a0da255c1341a71788c23b4579ec2e9b2091b55bfa003e7f81ba8c94a07be335

SHA512
56dde2cfc2a4462c22f695d900973818ee3261c491a0c66c6d29f2386ae19fd18986259a785ddb03ab16481bfa939a21b75fa2f2b611a2c96a95660069f4f8fd

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
21b94322efd019bb53c806422534d8fc

SHA1
e0e5a61471ce1b5238890c601ddddf4c5017906f

SHA256
fd6cc1421411a3d89680ea619434c9a63df560b0ee2397a646d4804faa557e03

SHA512
7cd6733a00149cf8958eb1edf1e813f662efcd5ebfc0a86f5b1060c2ed30d0378bbd2b86d28207452eb5afde1f1d3bd0ba444bff30bbec267dfceb78edf24150

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
b2fe6a40d1d75bf7be423245578e42cf

SHA1
9422b2a320ed8cdcc2fb46cc950105973ce9798d

SHA256
e35c6964ca70888c4506b5fcf6b77cf11368535a29b6157870f5a2e9ff39ea52

SHA512
d91cef1a67eb1e66d5d8c63e70680eef38eb987f93ecc3adc44d6bfb1db5646fb30e417779748066c49377d87df71629a17b7a9bfd3495393a0c56ace9a4e8e5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
8ec43d0ce49374b9a1c44920409d1a83

SHA1
25324464efcc5fc985fdf3d05dd5b5652e969739

SHA256
da348c9c99b363d7734e3fb9f68bb38ba9e985bc95574d49462cb1232bc73139

SHA512
2b6afd027e0d99716913bf24d996fd54cbfe9f2b4f73dc6e3f5f880cb4dc00778a5d1d8f2163c8900f62f5833cb5dc726d09f0d37c11a9ff96a542c1d1d523be

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
21464e7414cede058fc3aec8dbdc8e0f

SHA1
97e794e4bfbb7909a45dac37f38f27d38e6f84f8

SHA256
7f2600301da993b5aae99d5b013d8d89aae59d339141cedc1de6570d2d9359ff

SHA512
97706684671e324b60528a87f6381489d064618c5e66cc109aef19645f36573f821f3658886c4c441c93733033f9e2e052cba2811646d1380c2cb3c908f66fd3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
9833b315373cd4ccd81f7ae4a487ab1a

SHA1
b9a624add1b758ba76c5c65a2be0885fd33defe4

SHA256
417bd360bac53cc31676f822c78e5da9b27be75ee9c57bb3823a17eca3e68831

SHA512
f40eb7e88fd01cf1ec79e1932cf30171bae64df79fe8ae36f1d1612247e9801af5f40aa1127f278694503e231bbf103531c12508a098cb9c1bf4d5abe659d2ae

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
ef260af3ab1681e964f725ba670bdf63

SHA1
b4afe475343b2ff742afa91f80a6d02d0cd1a220

SHA256
6fa9b7c03ac3ca154a9c88447dc944128912e69b357ceb71a74e9b782fa9ca50

SHA512
8be6489d233f52196d03c000abc0959e73e13c604802245014a44191554a028f9510c1b6030eafc48f6b7a240b0ca5befabf200bf794b6508bc9c2762402504f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
6014e26fbbae620656fd98b9a133480f

SHA1
ba4d9f75e4b3a1d7135616603872c3d9e1c1fe7b

SHA256
adfa8db2db285cc08f70096602d67f2eee2e38024ea46b72ebb402492c2d0cc3

SHA512
20458ada15482de5fae9bc8f0ea813a5dfb141e3502e7db6ff6903cc9c935c1bad7d0eca903b92a145661685d94a1410e8a361e5ac9cd61c31d5d42035ef79a7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
b963c08f06f5b0cbf738627a7d24981e

SHA1
2d2b3cd5ebab9a8e926c6cfde5c2e969d94c9422

SHA256
2f54a10fce7e9d338f033f4f32a865803e01e4168793da8c507134e1f2c84493

SHA512
d4214c159af0a964ef79aad009533c1711f3f999e10b748f71800f905ee514de4d8be58c82558f12b3c1c0b4d16b98df6406c977539211914761b8932d6260ac

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
9b80786b34fc1545fb5a973ae372e9a7

SHA1
4867415a1f8f46fdf98e0e54b80e710521ee23a3

SHA256
ca7108198c1ca698263f5ae0c600556001afeb777f3f513c80c88f95651bd5da

SHA512
3e052f133443c480c51ed1fbf6ee129af634c435623edebafcc5f1c3a8f964ea841cd6b59372a710d198430e1dd31a00c1345e2a2ddb5d40ca93bd9c12bbb346

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
0a88db03355dd2fcf5139b795209746f

SHA1
eab7bca765281eed436220f5dca9f22d0252a147

SHA256
6dffb56ef2ac0dc6b1e3db22715441935912fe756c66ffba5ba9021c19734c7e

SHA512
10117c52fa61efc316ed10406516bba836044f1aee8bcf053e5300abfb81317bc8f5406ddd58b1be50955dae45b6ed3a0bbf57b597a8bae639fd766ff3378aa0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
b463c8f26b04fb13b859dfd96a528a1f

SHA1
040590abaf905836aebb222af3dca45a3a053ea1

SHA256
117f6d43909c73a90d7327c9f425818b8b0cd8e7e6c6f7d79bfe577e4036db34

SHA512
8ae1be58199387f8257c34925ddf4a03b5ca440fe562e94e41cd452fa6afa55d1857f9dcf1ee8ba49ef99f724e80c2f211af8078e6533dc8b1fd96643335936c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
9aede56b0d5c833ea7047b5140e7937f

SHA1
bc25f6f53a8bfad2ae9195d90742f0e83d2a6b91

SHA256
fdaec9832b680a460d96aeb6e2cae56f8d31c6ed989b4d3e6d6e34775d1e0fca

SHA512
1a99bc9ac829d4fa38347ce5d7e2d469294e7692ed19d06e4f49f2b23b7ee63ef372fa1a391fbe984654efac6b7016669a1fcec417ddc5011f77864d6cd99ec9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
06dd24ea88d9d6a30d40894bbb6218fb

SHA1
fbfb87c077b284ae636c9dc66b10cbe01eab55e4

SHA256
c8d8bf52f14a68ec1d9008c95905c7728df5523769f3dcbcc7691acc14ea88d7

SHA512
71ba6474fe07b4781616a0049e0445b80aadaf307ff8a419edf19f5f5962ecb53170074e35d43f4628b1c80291cb1a2c9163fd32c1eceba37189aee389bba71c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
e93cdae8e0b5786ebfa21fb8671a81b2

SHA1
bc0e05e15870054dfced4bb9d049ec8eee3e5b6d

SHA256
9f5740fa46a216d3b0bea9208c7047d3296bdd6e0840ccbb01f9d5dcfeb280c0

SHA512
63409809e95b6dc2cea4e1546ca348618fc9eb12b122c9ad01cbd55dea80da7e61fd9c6c2dae8d29320f8f831a8475e5108df550b51ce4267b9e36cca71e87a1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
61bdc61c716d81390982d7f0d249d956

SHA1
f965e5ae3ccba6186e719d63e7b8c874b4ad0a4b

SHA256
6d1b46dc8e3f62d1f26b549cc3bf535026d501174d17b4e1f5b6c2e649de3463

SHA512
aee1fda03545f71d4788d6f8152fac2448d31687b618ac3b7efaaffe22c39fe1901003c801738e39aff87b0d59cf3df58ad7e8b278cc5c832d39c42c87e2fd29

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
0a287de089c2d3c51f75f0cf7609b605

SHA1
e540dde07a81be5fde379997ec8b06f7c8ba5423

SHA256
dcf275efdcc116256f612c2fe46881ee629ccd19a456e50480c577309d3ea0e0

SHA512
f5d605a2b324115cb45359408a1cda2e0cefea23482672c3a87b09c9dd41a9f2dd94eb9d8d660ac465652b69874dbed16c66f8eea7d1883f48e7a28406910a64

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
e8c3730d496df1a9e4e15aea682d4e7d

SHA1
551c0ae5a74b0bcc29475f1609b8f8dd23294111

SHA256
7bd2d9164f30e09c927e4fe8cb89b6e6e85e55751e16469b0692af5081503862

SHA512
61c7a9495e76cac5f65d890a6c1c2d2bead6a660ba6ad77048d51077544bbcf9a107fae690ce1797bfd38befbe36839b8fc39417156aa1b62433d565b25158d9

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
049e048bcba3490d4196cf6ee0f9d240

SHA1
837a337a91738dddb9115d061741aaae989eb181

SHA256
58d952c1975fbe5ee12912ad34f71a15ad1614e300ab65d256a21152850b54a2

SHA512
ee801ddba0669d613d12b86f26e6a9537f329bba5ef526215fe580cd94cfc3e49a1de9e2340eebaf3d3e2614a366bdb8f21b3c8b6eb16012297d09cf8ed681c5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
d591150cf665bfb4610f823cac11d26a

SHA1
ffb071add70ff97f9731b7e5f6b91d57ee7943ce

SHA256
fde3cce792981e11e0b32931b938b641fc3618654d9844e50c04bbfc8cb35ed2

SHA512
12c1cea16ccaec255cea9557a847d3f4331c0c6db3b2688fb93855d60a688abeeeb927d9a180d722156129816a222bc12a089e4fc3edfb87183437133be1974e

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\Admin\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
6d821cec13c32ca8e06adc5367b2ab4b

SHA1
5898f3721a038a658e3f13b333ff2f6d04fd1848

SHA256
3a90850c6a00a4de0a410424d47f45381f98a1058363fa4ae108d91366e3ddc0

SHA512
397790a6a9db3f76bb0d988de207cb805601f9b2722d4be67a7d1fda2ed90efafda743d61b1b2a01dce4e614bacee976886a46bbbd2a1b2cb94dc20c397fa036

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/800-61-0x0000000000000000-mapping.dmp

Download
memory/940-60-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1088-62-0x000000013F050000-0x000000013F3DE000-memory.dmp

Filesize
3.6MB

Download
memory/1652-64-0x0000000000000000-mapping.dmp

Download
memory/4292-145-0x0000000000000000-mapping.dmp

Download
memory/18956-146-0x0000000000000000-mapping.dmp

Download
memory/69384-132-0x0000000000000000-mapping.dmp

Download
memory/69416-133-0x0000000000000000-mapping.dmp

Download
memory/69472-134-0x0000000000000000-mapping.dmp

Download
memory/69512-135-0x0000000000000000-mapping.dmp

Download
memory/69544-136-0x0000000000000000-mapping.dmp

Download
memory/69584-137-0x0000000000000000-mapping.dmp

Download
memory/69676-138-0x0000000000000000-mapping.dmp

Download
memory/69704-139-0x0000000000000000-mapping.dmp

Download
memory/69932-66-0x0000000000000000-mapping.dmp

Download
memory/69968-68-0x0000000000000000-mapping.dmp

Download
memory/70188-141-0x0000000000000000-mapping.dmp

Download
memory/70216-142-0x0000000000000000-mapping.dmp

Download
memory/70268-143-0x0000000000000000-mapping.dmp

Download
memory/70372-140-0x0000000000000000-mapping.dmp

Download
memory/70632-144-0x0000000000000000-mapping.dmp

Download